KR20200058147A - Electronic apparatus and controlling method thereof - Google Patents

Abstract

In the present disclosure, provided are an electronic device and a control method thereof. The electronic device includes: a memory in which a kernel and at least one application are stored; and a processor which creates a first rule to determine when an application calls a system to execute a process, determines whether the application corresponds to a security verified application based on the first rule, generates a second rule, when the application corresponds to the security-verified application, for skipping surveillance based on a plurality of predefined rules.

Description

Electronic device and its control method {ELECTRONIC APPARATUS AND CONTROLLING METHOD THEREOF}

The present disclosure relates to an electronic device and a control method thereof, and more particularly, to an electronic device performing an audit for an application and a control method thereof.

With the development of electronic communication technology, wireless communication technology has become common, and security technology for preventing hacking or leakage of personal information has been developed.

In this regard, recently, an operating system running on an electronic device includes a security-related system.

1 is a diagram for explaining a conventional electronic device including an audit system among security-related systems.

The electronic device monitors the processes 30-1 to 30-3 by an application running on the electronic device using the audit system 10. When an event such as a system call occurs in the processes 30-1 to 30-3 executed in the electronic device, the electronic device uses the monitoring system 10 to log a lot of information about the event ( log). Then, the electronic device uses the generated log to determine whether an event that violates the security policy of the electronic device has occurred.

To this end, the monitoring system 10 includes a plurality of rules 11 that generate a log when a predetermined event occurs.

For example, when a process 30-1 to 30-3 executed by an application generates an event such as a system call to access the file system 40, the electronic device sends to the monitoring system 10. Monitoring of the event is performed using a plurality of preset rules 11 included.

Specifically, when a system call occurs in a process executed by an application, the monitoring process 20 of the electronic device sequentially traverses a plurality of pre-set rules 110 included in the monitoring system 10 to the system call. Surveillance. Then, when the generated event meets a condition included in any one of a plurality of preset rules, the monitoring process 20 logs a corresponding rule.

At this time, the generated log is stored in the log storage 50, and the electronic device refers to the log stored in the log storage 50 to the system call generated by the processes 30-1 to 30-3. You can get information about.

On the other hand, a plurality of rules preset in the monitoring system 20 are globally defined rules, and the electronic device processes 30-1 to 30-3 executed by an application using the monitoring process 20 ) A plurality of predetermined rules are traversed for each.

In this case, as the plurality of preset rules increases, the number of logs to be recorded and stored by the monitoring process 20 for one process increases, and the overhead of the system is reduced in that the system takes a lot of time to analyze the log ( overhead).

On the other hand, as the number of preset rules is less, the log recorded and stored by the monitoring process 20 for one process decreases, and the system takes less time to analyze the log, but the security of the system becomes weak. have.

The present disclosure is intended to solve the above-described problems, and an object of the present disclosure is to skip an surveillance process for a process executed by a security-verified application and to skip an untrusted process only for an electronic device and its object. In providing a control method.

An electronic device according to an embodiment of the present disclosure includes a memory in which a kernel and at least one application are stored; And a processor that executes the application to perform an operation corresponding to a request generated in the kernel based on the system call when a system call generated by a process executed by the application is delivered to the kernel. It includes.

At this time, the kernel may perform an audit of the system call based on a plurality of predefined rules.

In addition, the processor generates a first rule for determining when the application calls the system to execute the process, and determines whether the application corresponds to a security verified application based on the first rule. When an application corresponds to a security verified application, a second rule for skipping the monitoring based on the predefined plurality of rules may be generated.

In addition, when a log for the system call is generated by the first rule, the processor may skip the monitoring based on the predefined plurality of rules according to the second rule.

In addition, the processor adds the first rule before the predefined plurality of rules, and when it is determined by the first rule that the application corresponds to a security-verified application, the predefined plurality of rules By adding the second rule before, the monitoring based on the plurality of rules defined by the second rule can be skipped.

And, the first rule may include a rule that generates a log when the application makes the system call to execute the process, and the processor logs the system call based on the first rule. When is generated, the second rule may be generated.

In addition, the processor performs supplementary verification on at least one application stored in the memory, and generates a list including information on at least one application that has been securely verified among the at least one application, and stores it in the memory. Can be.

The processor may determine whether the application executing the process corresponds to an application for which security verification has been completed based on the list.

In addition, the processor may generate a third rule for monitoring tampering with respect to at least one security verified application included in the list.

In addition, when the modulation for the application is identified according to the third rule, the processor may delete information on the application for which the modulation is identified from the list.

In addition, the processor generates the third rule for generating a log when the tampering is identified for at least one security verified application included in the list, and at least one security verified application included in the list Among them, it can be identified that the application included in the log generated according to the third rule is tampered with.

On the other hand, in the method of controlling an electronic device according to an embodiment of the present disclosure, the electronic device generates a first rule for determining a point in time when an application makes a system call to execute the process, executed by the application The system call generated by the process is delivered to the kernel, and when the application corresponds to the security-verified application based on the first rule, an audit based on a plurality of predefined rules is performed. And generating a second rule for skipping, and performing an operation corresponding to the request generated by the kernel based on the system call.

At this time, the kernel monitors the system call based on a plurality of predefined rules.

Meanwhile, the control method may further include, when the log for the system call is generated by the first rule, skipping monitoring based on the predefined plurality of rules according to the second rule. have.

In addition, the control method may include adding the first rule before the predefined plurality of rules, and when it is determined that the application corresponds to the security verified application by the first rule, the predefined method The method may further include skipping the monitoring based on the predefined plurality of rules according to the second rule, by adding the second rule before the plurality of rules.

Further, the first rule may include a rule that issues a log when the application performs the system call to execute the process.

The generating of the second rule may include generating the second rule when the log for the system call is generated based on the first rule.

In addition, the control method may include performing a supplementary verification of at least one application stored in the electronic device, and generating a list including information on the at least one securely verified application among the at least one application. The method may further include storing in the electronic device.

The method may further include determining whether the application executing the process corresponds to an application for which security verification has been completed based on the list.

In addition, the method may further include generating a third rule for monitoring tampering with respect to at least one security verified application included in the list.

In addition, when the modulation for the application is identified according to the third rule, the method may further include deleting information on the application for which the modulation is identified from the list.

Further, the generating of the third rule may include generating the third rule for generating a log when the tampering is identified for at least one security verified application included in the list. .

In addition, the control method may further include identifying an application included in the log generated according to the third rule as being tampered with at least one security verified application included in the list.

According to the above-described embodiment, the electronic device may reduce overhead while maintaining the security of the system by skipping monitoring for a process executed by a security-verified application.

1 is a view for explaining a conventional electronic device,
2 is a view for explaining an electronic device according to various embodiments of the present disclosure;
3 is a block diagram illustrating an electronic device according to an embodiment of the present disclosure;
4 to 6 are diagrams for describing an electronic device according to an embodiment of the present disclosure;
7 is a block diagram illustrating in detail an electronic device according to an embodiment of the present disclosure;
8 is a flowchart illustrating a method of controlling an electronic device according to an embodiment of the present disclosure.

Terms used in this specification will be briefly described, and the present disclosure will be described in detail.

Terms used in the embodiments of the present disclosure, while considering the functions in the present disclosure, general terms that are currently widely used are selected, but this may vary depending on the intention or precedent of a person skilled in the art or the appearance of new technologies. . In addition, in certain cases, some terms are arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the corresponding disclosure. Therefore, the terms used in the present disclosure should be defined based on the meaning of the terms and the contents of the present disclosure, not simply the names of the terms.

Since the embodiments of the present disclosure can apply various transformations and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the scope of the specific embodiments, it should be understood to include all conversions, equivalents, or substitutes included in the scope of the disclosed idea and technology. In the description of the embodiments, when it is determined that the detailed description of the related known technology may obscure the subject matter, the detailed description is omitted.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. The terms are only used to distinguish one component from other components.

Singular expressions include plural expressions unless the context clearly indicates otherwise. In this application, terms such as “comprises” or “consist of” are intended to indicate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, one or more other It should be understood that features or numbers, steps, operations, components, parts or combinations thereof are not excluded in advance.

In the present disclosure, "module" or "unit" performs at least one function or operation, and may be implemented in hardware or software, or a combination of hardware and software. In addition, a plurality of "modules" or a plurality of "parts" are integrated into at least one module except for "modules" or "parts" that need to be implemented with specific hardware to be implemented with at least one processor (not shown). Can be.

Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art to which the present disclosure pertains can easily implement them. However, the present disclosure may be implemented in various different forms and is not limited to the embodiments described herein. In addition, in order to clearly describe the present disclosure in the drawings, parts irrelevant to the description are omitted, and like reference numerals are assigned to similar parts throughout the specification.

An application according to embodiments of the present disclosure refers to software used by a user running on a computer operating system (OS) or a mobile OS. For example, the application may be a web browser, camera application, mobile payment application (or electronic payment application, payment application), photo album application, word processor, spread Spread sheet, contacts application, calendar application, memo application, alarm application, social network system (SNS) application, call application, game store , A game application, a chat application, a map application, a music player or a video player.

The application according to embodiments of the present disclosure may refer to software that is executed on an electronic device or an external device (eg, a wearable device, a server, etc.) that is wirelessly or wiredly connected to the electronic device.

An electronic device according to various embodiments of the present disclosure includes, for example, a smart phone, a tablet personal computer (PC), a mobile phone, a video phone, an e-book reader, Desktop PC (desktop personal computer), laptop PC (laptop personal computer), netbook computer (netbook computer), workstation (workstation), server, PDA (personal digital assistant), PMP (portable multimedia player), MP3 player, mobile medical It may include at least one of a device, a camera, or a wearable device. According to various embodiments, the wearable device may be an accessory type (for example, a watch, ring, bracelet, anklet, necklace, glasses, contact lens, or head-mounted device (HMD)), a fabric or clothing integrated type ( For example, it may include at least one of an electronic garment), a body attachment type (eg, a skin pad or a tattoo), or a bio-implantable type (eg, an implantable circuit).

In some embodiments, the electronic device may be a home appliance. Household appliances include, for example, televisions, digital video disk (DVD) players, audio, refrigerators, air conditioners, vacuum cleaners, ovens, microwave ovens, washing machines, air cleaners, set-top boxes, and home automation controls. Home automation control panel, security control panel, TV box (eg Samsung HomeSync ™, Apple TV ™, or Google TV ™, game console (eg Xbox ™, PlayStation ™, electronic dictionary, electronics) It may include at least one of a key, a camcorder, or an electronic picture frame.

In another embodiment, the electronic device includes various medical devices (eg, various portable medical measurement devices (such as a blood glucose meter, heart rate meter, blood pressure meter, or body temperature meter), magnetic resonance angiography (MRA), magnetic resonance imaging (MRI), Computed tomography (CT), camera, or ultrasound, etc., navigation device, global navigation satellite system (GNSS), event data recorder (EDR), flight data recorder (FDR), automotive infotainment ) Devices, marine electronic equipment (e.g. marine navigation devices, gyro compasses, etc.), avionics, security devices, head units for vehicles, industrial or household robots, automatic teller's machines (ATMs) in financial institutions , Point of sales (POS) in stores, or Internet of things (e.g. light bulbs, various sensors, electricity or gas meters, sprinkler devices, fire alarms, thermostats, street lights, toasters) , Exercise equipment, hot water tank, heater, boiler, etc.).

According to some embodiments, the electronic device may be a furniture or part of a building / structure, an electronic board, an electronic signature receiving device, a projector, or various measuring devices (eg, Water, electricity, gas, or radio wave measurement devices, etc.). In various embodiments, the electronic device may be a combination of one or more of the various devices described above. The electronic device according to an embodiment may be a flexible electronic device. In addition, the electronic device according to the embodiment of the present document is not limited to the above-described devices, and may include a new electronic device according to technological development.

Hereinafter, various embodiments of the present disclosure will be described in detail with reference to the drawings.

2 is a diagram for describing an electronic device according to various embodiments of the present disclosure. Specifically, FIG. 2 is a diagram for describing an electronic device including the monitoring system 110.

The electronic device 1000 may monitor the processes 131 to 133 executed by the application using the monitoring system 110 included in the kernel. Specifically, when the processes 131 to 133 executed by the application access the file system 140 on the kernel through a system call, the electronic device sequentially uses a plurality of rules included in the monitoring system 110 Log information including system call information may be generated, and the generated log information may be stored in the log storage 150. The electronic device may acquire information about a system call in which the processes 131 to 133 have occurred by using log information stored in the log storage 150 and may monitor the process.

Here, the plurality of rules included in the monitoring system 110 may include a plurality of rules defined in the monitoring system 110 and rules added by the electronic device 1000.

The electronic device 1000 may add a rule for monitoring a process to the monitoring system 110 using the audit process 120.

Specifically, the electronic device 1000 stores a list of applications determined to be safe from invasion of viruses or hackers among applications included in the electronic device 1000, and monitors the rules for applications included in the list 110 Can be added to

Here, the list may include identification information of the security-verified application, a path in which the executable file of the application is stored, and the like.

The electronic device 1000 may generate a rule for determining the execution of the security-verified application included in the list using the monitoring process 120, and add it to the set of predetermined rules of the monitoring system 110. In this case, when the execution of the application included in the list is determined by the added rule, the electronic device 1000 additionally monitors the rule for skipping the monitoring of the process executed by the security verified application 110 ).

On the other hand, the electronic device 1000 may generate a rule for monitoring the modulation of the application included in the list using the monitoring process 120 and add it to the set of predetermined rules of the monitoring system 110.

Here, the tampering of the application indicates that the binary code of the file related to the execution of the application is changed by an unauthorized user or system. That is, a user or system without permission for an application changes a file related to the application, and this may be tampered with by malicious codes or hackers.

When an application's tampering is identified by a rule that monitors the tampering of the application, the electronic device may delete information about the application from the list in that the application is no longer a security-verified application. Then, when the application deleted from the list is executed, the electronic device may monitor the application deleted from the list using a plurality of predefined rules included in the monitoring system 110.

That is, the electronic device 1000 omits monitoring of the processes executed by the trusted applications, and performs monitoring only on the processes executed by the untrusted applications, so that the electronic devices are attached to the processes performed in the system. Monitoring can be reduced, and time and overhead for analyzing log information generated as a result of monitoring can be reduced. Accordingly, the efficiency of the system of the electronic device can be increased.

Hereinafter, an electronic device according to various embodiments of the present disclosure will be described in detail.

3 is a block diagram illustrating an electronic device according to an embodiment of the present disclosure.

Referring to FIG. 3, the electronic device 1000 may include a memory 100 and a processor 200.

The memory 100 may store various programs and data necessary for the operation of the electronic device 1000. The memory 100 may store various data generated during program execution, including programs required for execution of at least one application installed in the electronic device 1000.

The memory 100 may include a program area and a data area. In the program area, related information for driving the electronic device 1000 such as an operating system for booting the electronic device 1000 may be stored. In addition, various data transmitted and received during program execution may be stored in the data area.

Also, the memory 100 stores a kernel and at least one application. The kernel is a program included in an operating system installed on an electronic device, and serves to control all systems on the electronic device. Meanwhile, if a kernel is not included according to an operating system, a program that controls all systems on the electronic device may correspond to the kernel of the present disclosure.

The memory 100 may include at least one of a user area, a kernel area, and a hardware area. The user area may include at least one application or a process, container, etc. executed by at least one application. Can be.

The user area of the memory 100 may include a log storage 150 for storing log information generated by various systems in the kernel area. For example, the memory 100 may include a log storage 150 including log information generated by a plurality of rules included in the monitoring system 110.

In addition, the user area may include a list 160 including information on security verified applications among applications included in the electronic device 1000. As described above with reference to FIG. 2, the information on the security-validated application may include identification information of the security-validated application, a path in which an executable file of the application is stored, and the like.

Meanwhile, the kernel area may include a file system 140, a monitoring system 110, and a memory management system (not shown). Here, the file system 140 is a system that manages all files stored in the memory 100 and may include a native file system and a virtual file system. Also, the monitoring system 110 may represent a system that monitors all attempts to access the file system 140.

In particular, the monitoring system 110 may store a plurality of rules for monitoring system calls to access the file system 140 in the electronic device 1000. At this time, a plurality of rules may be sequentially connected physically or systemically, and when one system call occurs, a plurality of rules stored in the monitoring system 110 may be sequentially used.

Meanwhile, the hardware area may include a physical area in which system objects such as at least one folder or directory including data or data related to a function of at least one application installed in the electronic device 1000 are actually stored. For example, in the hardware area of the memory 100, flash memory, hard disk, multimedia card, micro type memory (eg, SD or XD memory), RAM (RAM) ), ROM, and the like.

The processor 200 is electrically connected to the memory 100 to control overall operations and functions of the electronic device 1000.

The processor 200 executes an application stored in the memory 100 of the electronic device 1000. When the application is executed, a process related to the application is created and executed. The process represents a task executed in the electronic device by the application, and each of the plurality of applications may generate and execute a plurality of processes, and one application may also generate and execute a plurality of processes.

When the system call generated by the process executed by the application is delivered to the kernel, the processor 200 executes the application so that the application performs an operation corresponding to the request generated in the kernel based on the system call.

Here, the system call means that the process requests the kernel of the operating system to perform a specific operation, and is divided into a process control system call, a file management system call, a device management system call, an information management system call, and a communication system call. Can be. Process control system calls are system calls for creating, loading, executing, and terminating processes, and file management system calls are for creating, opening, closing, and reading files. System calls for (read), write (delete), save (save), etc., and device management system calls are device request (request), release (release), read (read), write (write) ), A system call for repositioning. In addition, the information management system call may be a process for setting and acquiring system data such as time and date, and the communication system call may be a system call for creating and removing a communication connection, sending / receiving a message, and transmitting status information. have.

On the other hand, if the system call is a process executed by the application, it may be a system call of the present disclosure. That is, the system call of the present disclosure is not limited to a file management system call, and may be a process control system call, a device management system call, an information management system call, or the like.

When the system call is delivered to the kernel, the kernel performs monitoring of the system call based on a plurality of predefined rules. Specifically, the monitoring system 110 included in the kernel performs monitoring of system calls using a plurality of predefined rules included in the monitoring system 110.

The plurality of predefined rules are for determining whether the system call generated by the process matches a preset condition, and may include information such as a target, a condition, and a reaction when the condition is met.

Among the information included in the rule, 'destination' indicates the system call number generated in the process, and 'condition' can indicate information such as the process ID (Process ID, PID), process name, and the path of the file handled by the process. . Here, the path of the file handled by the process may mean a path of a file that the process intends to access in order to open, write, and save.

In addition, 'response when the condition is met' may indicate whether to leave a log when the system call number and condition passed to the kernel match the system call number and condition included in the rule.

The monitoring system 110 sequentially traverses a plurality of predefined rules. At this time, if the system call generated by the process matches the target and information included in the log, the monitoring system 110 may leave log information according to the rule. At this time, the log information may include various information such as a system call number, a condition, and a time when the system call occurred.

That is, the processor 200 may acquire information about the system call called by the process using log information, and may monitor the system in the electronic device based on the information.

Meanwhile, the processor 200 may add at least one rule related to a system call performed by the process to the monitoring system 110. That is, the monitoring system 110 may perform monitoring of the system call using rules added by the processor 200 in addition to the preset rules.

5 and 6 are diagrams for explaining an electronic device that performs monitoring using rules added by the processor 200 according to an embodiment of the present disclosure.

FIG. 5 adds a rule for determining when a process is executed by an application according to an embodiment of the present disclosure and a rule for skipping at least one rule among a plurality of rules pre-stored in the monitoring system 110 A diagram for explaining an electronic device monitoring a system.

The processor 200 generates a first rule 112 that determines when an application makes a system call to execute a process.

When an application executes a process, the process may deliver a system call (eg, execv ()) to the file system 140 included in the kernel.

The processor 200 may use the monitoring process 120 stored in the memory 100 to generate a first rule 112 that determines when an application makes a system call to execute the process. Here, the first rule 112 may include a rule in which a log related to the system call is generated when an application makes a system call to execute a process.

Specifically, the first rule 112 includes information such as a system call number, a process ID, a path of a file handled by a process, and a time when a system call occurred when an application makes a system call to execute a process. You can create logs.

The processor 200 determines whether an application that makes a system call corresponds to a security verified application based on the first rule 112. Specifically, when a log for a system call performed by an application is generated by the first rule 112, the processor 200 analyzes the log using the monitoring process 120 and executes a process corresponding to the log It is possible to determine whether an application corresponds to a security verified application.

At this time, the processor 200 may determine whether the application executing the process corresponds to the security verified application based on the list 160 of the security verified application stored in the memory 100. Specifically, the processor 200 matches the process information included in the log information and the information related to the application that executed the process with the list 160 for the security-proven application stored in the memory 100 so that the application executing the process It can be determined whether it corresponds to the security-verified application.

When the system call application corresponds to the security verified application, the processor 200 generates a second rule 113 for skipping monitoring based on a plurality of predefined rules included in the monitoring system 110.

The processor 200 may add the generated first rule 112 and second rule 113 to a plurality of predefined rules 111-1 and 111-2. At this time, the monitoring process 120 adds the first rule and the second rule to the plurality of rules 111-1 and 111-2 defined in the monitoring system 110, so that the monitoring system 110 is A process may be inspected by using the first rule before the plurality of rules 111-1 and 111-2. Meanwhile, this is one embodiment, and the monitoring process 120 may add the first rule and the second rule between a plurality of rules 111-1 and 111-2 defined in the monitoring system 110.

When the processor 200 adds the first rule 112 before a plurality of predefined rules 111-2 and determines that the application corresponds to the security verified application by the first rule 112, the processor 200 By adding the second rule 113 before the plurality of rules 111-2, the monitoring based on the plurality of rules defined by the second rule 113 can be skipped.

That is, the processor 200 may add the first rule 112 and the second rule 113 to a plurality of predefined rules, and perform monitoring of system calls using the predefined plurality of rules Previously, the first rule is used to identify the system call time and the system call application in order to execute the process, and when the system call application corresponds to the security verified application, the second rule is used to define the application. Monitoring using a plurality of rules can be omitted.

That is, referring to FIG. 5, the processor 200 may perform operations in the following order.

1. The rule for monitoring the process of executing the system call using the monitoring process 120 is added to the monitoring system 110.

2. When the process 180 of the application accesses the file system 140 by executing a system call, the process executing the system call is monitored using the first rule.

3. The monitoring process 120 obtains a log record from the first rule, and analyzes the obtained log record.

4. Check the list of verified applications 160 to determine whether the application of the process that executed the system call is a verified application.

5. When the application of the process that executed the system call is a verified application, a second rule that skips a plurality of predefined rules is added.

Meanwhile, FIG. 6 is a diagram for describing an electronic device that monitors a system by adding a rule for monitoring modulation of an application according to an embodiment of the present disclosure.

The processor 200 may generate a third rule for monitoring tampering with respect to at least one security verified application included in the verified application list. Since the modification to the application is performed by writing to a file or program related to the application, the processor 200 monitors whether a system call is attempted to write to the file or program related to the application. A third rule can be generated. Here, the file or program related to the application may include an execution program for executing the application, a file for setting or changing authority for the application, and the like.

To this end, the processor 200 may obtain the path of the application from the list of verified applications using the monitoring process 120. The path of the application may indicate a file or program related to execution of the application, or a location where the file or program for determining or changing authority for the application is stored in the memory 100.

The processor 200 may generate a third rule for generating a log when tampering is identified for at least one security verified application included in the list of verified applications.

Then, the processor 200 may identify that the application included in the log generated according to the third rule among the at least one securely verified application included in the list of verified applications has been tampered with.

For example, the list of verified applications includes A application, B application, C application, and the like, and application information of A application is included in log information generated according to the third rule that monitors system calls related to application modulation. If it is, the processor 200 may identify that the A application has been tampered with using log information generated according to the third rule.

When the modulation for the application is identified according to the third rule, the processor 200 may delete information about the application for which the modulation is identified from the list of verified applications. Specifically, in that the application for which the modulation is identified according to the third rule can no longer be viewed as a security verified application, the processor 200 uses the monitoring process 120 to perform modulation in the list of security verified applications. Information about the identified application can be deleted.

Then, the processor 200 may modify the third rule added to the monitoring system 110 to correspond to the list of verified applications. Specifically, the processor 200 may delete information of an application for which modulation has been identified from information related to the application, such as a system call number included in the third rule, an application process ID, and a path of a file associated with the application.

Thereafter, the processor 200 may monitor the system call by sequentially using a plurality of predefined rules when the process executed by the application for which the modulation is identified performs a system call. That is, in the fact that the information of the application for which the modulation has been identified has been deleted from the list of verified applications, the above-described embodiments in FIGS. 5 and 6 cannot be applied, and the processor 200 is defined as stored in the monitoring system 110. An application in which modulation is identified can be monitored using a plurality of rules.

That is, referring to FIG. 6, the processor 200 may perform operations in the following order.

1. Obtain the path of the security-verified application using the monitoring process 120.

2. Add a third rule for monitoring whether an application exists in the path of the obtained security verified application is tampered with.

3. When a suspicious application such as malicious code accesses the path of the security-verified application and modulates the application, the application is detected according to the third rule.

4. Obtain log information generated according to the third rule using the monitoring process 120, and analyze the log information to determine an application for which modulation has been identified.

5. Delete the information of the application for which tamper is identified from the list of security verified applications.

6. In the third rule stored in the monitoring system, information of the application for which the modulation has been identified is deleted.

As described above with reference to FIGS. 5 and 6, the processor 200 may add a rule related to a system call to the monitoring system 110 using a list of security verified applications. To this end, the processor 200 may generate a list of security verified applications.

In this regard, FIG. 4 is a diagram for describing an electronic device that generates a list of security verified applications according to an embodiment of the present disclosure.

The processor 200 performs security verification on at least one application stored in the memory 100 and generates a list including at least one application for which security verification has been performed among the at least one application to the memory 100 Can be saved.

Specifically, when the electronic device 100 is booted, the processor 200 may perform security verification of the application stored in the memory 100. The security verification here indicates that the application stored in the memory 100 is compared with a predetermined malicious behavior pattern or malicious code to identify whether the application is a suspected malicious application.

Pre-defined malicious behavior patterns include, for example, address book leakage, message leakage, photo leakage, fraudulent charging, transmission of unencrypted personal information to the network, continuous connection with a specific server (SSH session), files in the shared directory Continuous encryption attempts (suspected as ransomware), rapid network communication increase, continuous attempts to change system privileges and files, forcibly shutting down other applications, applications without network privileges constantly trying to communicate with the network, cellular data communication This may include triggering spam messages, sending spam messages, applications without GPS permission, transmitting coordinate information to the network, continuously accessing certain overseas illegal sites, making international calls, and draining batteries.

After performing the security verification, the processor 200 may search for files of the security verified application using the verified application generation module 170. Here, the file of the application is a file used to execute the application, and may include a binary file or a source file.

The processor 200 may generate a list including information on at least one application that is securely verified among at least one application stored in the memory and store it in the memory 100. At this time, the information on the application may include identification information of the application, an executable file of the application, or a path of the program, and the executable file or program of the application may include source code or binary code.

The processor 200 may determine whether an application executing a process corresponds to an application for which security verification has been completed based on a list of security verified applications stored in the memory 100.

For example, if the application executing a specific process is included in the list of security verified applications, the processor 200 may determine that the application is a security verified application. When the application is determined to be a security verified application, the processor 200 may omit monitoring of the security verified application using rules added to the monitoring system 110 as described above in FIG. 5.

And, if the application that executes the specific process is not included in the list of security verified applications, the application is determined as an unsecured, unsafe application, and a plurality of predefined rules of the monitoring system 110 are determined. Can be used to monitor the application.

7 is a block diagram illustrating in detail an electronic device according to an embodiment of the present disclosure.

Referring to FIG. 7, a memory 100, a processor 200, a communication unit 300, a display 4000, a speaker 500, a GPS chip 600, an input unit 700, a camera 800, and a microphone 900 ). Although not illustrated according to the embodiment, appropriate hardware / software configurations of those skilled in the art may be additionally included in the electronic device 1000. In addition, some configurations may be excluded depending on the embodiment.

The communication unit 300 may be connected to a network through, for example, wireless communication or wired communication to communicate with external devices. Wireless communication is, for example, a cellular communication protocol, for example, long-term evolution (LTE), LTE Advance (LTE-A), code division multiple access (CDMA), wideband CDMA (WCDMA), universal (UMTS) Mobile telecommunications system), WiBro (Wireless Broadband), or GSM (Global System for Mobile Communications) may be used. Further, the wireless communication may include short-range communication, for example. The short-range communication may include, for example, at least one of WiFi direct (wireless fidelity direct), Bluetooth (Bluetooth), near field communication (NFC), and Zigbee. The wired communication may include at least one of a universal serial bus (USB), a high definition multimedia interface (HDMI), a recommended standard232 (RS-232), or a plain old telephone service (POTS). The network may include at least one of a telecommunications network, for example, a computer network (eg, LAN or WAN), the Internet, or a telephone network.

The display 400 is a configuration for outputting an image. The display 500 includes, for example, a liquid crystal display (LCD), a light-emitting diode (LED) display, an organic light-emitting diode (OLED) display (such as AMOLED) (active-matrix organic light-emitting diode), PMOLED (passive-matrix OLED), or microelectromechanical systems (MEMS) display, or electronic paper display. The touch sensor of the display 400 and the input unit 700 may be implemented as a touch screen by forming a mutual layer structure.

The speaker 500 is a component capable of outputting audio. For example, the speaker 500 may output various information, such as information about the suspect application, isolation of the application, release of the isolation, and the like.

The GPS chip 600 is a component for receiving a GPS signal from a GPS (Global Positioning System) satellite and calculating a current position of the electronic device 1000. The location information of the electronic device 1000 may be accessed by a specific application according to the access authority. If the application is isolated, access to location information may be blocked.

The input unit 700 may receive a user input and transmit it to the processor 200. The input unit 700 may include, for example, a touch sensor, a (digital) pen sensor, a pressure sensor, and a key. For the touch sensor, for example, at least one of capacitive, pressure-sensitive, infrared, and ultrasonic methods may be used. The (digital) pen sensor, for example, may be part of the touch panel or may include a separate recognition sheet. The key can include, for example, a physical button, an optical key, or a keypad.

The camera 800 is configured to capture a still image or a video according to a user's control. The camera 800 may be embodied as a plurality of front cameras and rear cameras. A specific application may access photos and videos taken using the camera 800 according to access rights. If the application is quarantined, access to photos and videos may be blocked.

The microphone 900 may generate (or convert) a voice or sound received from the outside into an electrical signal. The electrical signal generated by the microphone 900 may be stored in the memory 100 or output through the speaker 500. The microphone 900 may be composed of one or a plurality of microphones.

The description of the memory 100 and the processor 200 may use the description of the memory 100 and the processor 200 of FIG. 3.

The processor 200 may include a RAM 210, a ROM 220, a CPU 230, a graphic processing unit (GPU) 240, and a bus 250. The RAM 210, the ROM 220, the CPU 230, and the GPU 240 may be connected to each other through the bus 250.

The CPU 230 may access the memory 100 and boot using the O / S stored in the memory 100. Also, various operations may be performed using various programs, contents, and data stored in the memory 100.

The ROM 220 stores a set of instructions for booting the system. When the turn-on command is input and power is supplied, the CPU 230 copies the O / S stored in the memory 100 to the RAM 210 according to the command stored in the ROM 220, and executes the O / S to operate the system. Boot. When the booting is completed, the CPU 230 performs various operations by copying various programs stored in the memory 100 to the RAM 210 and executing programs copied to the RAM 210. When the booting of the electronic device 1000 is completed, the GPU 240 may display UIs and UI elements corresponding to an application stored in the memory 100 on the display 400.

8 is a flowchart illustrating a method of controlling an electronic device according to an embodiment of the present disclosure.

Referring to FIG. 8, the electronic device 1000 may generate a first rule that determines when an application makes a system call to execute a process (S810).

In this case, the electronic device 1000 may add the first rule before a plurality of rules defined in the monitoring system.

Then, the system call generated by the process executed by the application may be delivered to the kernel (S820).

In addition, when the application corresponds to the security-verified application based on the first rule, a second rule for skipping monitoring based on a plurality of predefined rules may be generated (S830).

Here, the first rule includes a rule for issuing a log when an application performs a system call to execute a process, and when a log for a system call is generated based on the first rule, a second rule is generated. Can be.

At this time, when the log for the system call is generated by the first rule, the electronic device 1000 may skip monitoring based on a plurality of rules defined according to the second rule.

Specifically, when it is determined that the application corresponds to the security-verified application according to the first rule, the second rule is added before the predefined plurality of rules to monitor based on the plurality of rules defined according to the second rule Can be skipped.

Then, the electronic device 1000 may perform an operation corresponding to the request generated in the kernel based on the system call (S840).

Meanwhile, the electronic device 1000 may perform security verification for at least one application stored in the electronic device 1000. Also, a list including information on at least one application that has been securely verified among at least one application may be generated and stored in the electronic device.

At this time, the electronic device 1000 may determine whether the application executing the process corresponds to the application for which security verification has been completed based on the list.

Meanwhile, the electronic device 1000 may generate a third rule for monitoring tampering with respect to at least one security verified application included in the list. At this time, if the modulation for the application is identified according to the third rule, information on the application for which the modulation is identified can be deleted from the list.

In addition, the electronic device 1000 generates a third rule for generating a log when tampering is identified for at least one security verified application included in the list, and is selected from among at least one security verified application included in the list. 3 The application included in the log generated according to the rule can be identified as being tampered with.

Meanwhile, the control method as described above may be implemented as a program including an executable algorithm that can be executed on a computer, and the program can be provided stored in a non-transitory computer readable medium.

A non-transitory readable medium means a medium that stores data semi-permanently and that can be read by a device, rather than a medium that stores data for a short time, such as registers, caches, and memory. Specifically, the various applications or programs described above may be stored and provided on a non-transitory readable medium such as a CD, DVD, hard disk, Blu-ray disk, USB, memory card, ROM, and the like.

The preferred embodiments of the present disclosure have been described and described above, but the present disclosure is not limited to the specific embodiments described above, and it is not limited to the specific embodiments described in the claims, without departing from the gist of the present disclosure claimed in the claims. Of course, various modifications can be made to anyone having ordinary knowledge, and such changes are within the scope of the claims.

1000: electronic device 100: memory
200: processor

Claims (18)

In the electronic device,
A memory in which a kernel and at least one application are stored; And
A processor that executes the application to perform an operation corresponding to a request generated in the kernel based on the system call when a system call generated by a process executed by the application is delivered to the kernel; Includes,
The kernel performs an audit of the system call based on a plurality of predefined rules,
The processor,
Create a first rule to determine when the application calls the system to execute the process, determine whether the application corresponds to a security verified application based on the first rule, and the application is a security verified application If it corresponds to, the electronic device generates a second rule for skipping the monitoring based on the predefined plurality of rules. According to claim 1,
The processor,
If the log for the system call is generated by the first rule, the electronic device skips the monitoring based on the predefined plurality of rules according to the second rule. According to claim 1,
The processor,
If the first rule is added before the predefined plurality of rules, and it is determined that the application corresponds to the security verified application by the first rule, the second rule before the predefined plurality of rules In addition, the electronic device skips the monitoring based on the plurality of rules defined by the second rule. According to claim 1,
The first rule,
And a rule for generating a log when the application performs the system call to execute the process,
The processor,
When the log for the system call is generated based on the first rule, the electronic device generates the second rule. According to claim 1,
The processor,
An electronic device that performs a supplementary verification of at least one application stored in the memory and generates a list including information on the at least one security verified application among the at least one application, and stores the list in the memory. The method of claim 5,
The processor,
Based on the list, it is determined whether the application that executes the process corresponds to an application for which security verification has been completed. The method of claim 5,
The processor,
And generate a third rule for monitoring tampering for at least one securely verified application included in the list. The method of claim 7,
The processor,
When the modulation for the application is identified according to the third rule, the information on the application for which the modulation is identified is deleted from the list. The method of claim 7,
The processor,
When the tampering is identified for at least one security verified application included in the list, the third rule for generating a log is generated, and the third rule among the at least one security verified application included in the list is generated. An electronic device that identifies that the application included in the generated log is tampered with. In the control method of the electronic device,
Generating a first rule for determining when an application calls a system to execute a process;
Passing a system call generated by the process executed by the application to a kernel;
Generating a second rule for skipping an audit based on a plurality of predefined rules when the application corresponds to a security verified application based on the first rule; And
And performing an operation corresponding to the request generated by the kernel based on the system call.
The kernel, the control method for performing monitoring of the system call based on a plurality of predefined rules. The method of claim 10,
The control method,
And if the log for the system call is generated by the first rule, skipping monitoring based on the predefined plurality of rules according to the second rule. The method of claim 10,
The control method,
Adding the first rule before the predefined plurality of rules; And
When it is determined by the first rule that the application corresponds to a security-verified application, the second rule is added to the plurality of rules before the predefined plurality of rules, and the plurality of predefined rules according to the second rule And skipping the monitoring based on the control method. The method of claim 10,
The first rule,
And a rule for issuing a log when the application performs the system call to execute the process.
Generating the second rule,
And generating the second rule when the log for the system call is generated based on the first rule. The method of claim 10,
The control method,
Performing complementary verification on at least one application stored in the electronic device; And
And generating a list including information on the at least one security-validated application among the at least one application, and storing the list in the electronic device. The method of claim 14,
And determining whether the application executing the process corresponds to an application for which security verification has been completed based on the list. The method of claim 14,
And generating a third rule for monitoring tampering with respect to at least one security-validated application included in the list. The method of claim 16,
And if the modulation for the application is identified according to the third rule, deleting information on the application for which the modulation is identified from the list. The method of claim 16,
Generating the third rule,
And generating the third rule for generating a log when the tampering is identified for at least one security verified application included in the list.
The control method,
And identifying that the application included in the log generated according to the third rule among the at least one security verified application included in the list is tampered with.

Images